emotet | 0742e51d1d636720c7623c0188b232a17a492f64ae38550ba9ec46b2b7f32a2b

General

Target

DETAILS 14032023.doc
Size

518.4MB
MD5

f30f9eed1fc654c010ab7dec52291fbd
SHA1

b17388dbcf3a8e437358865c597ba372c7a4a79d
SHA256

32b73674bef1bf5a7893ddfff9ab38c3efb281f09838c723cbf5c9f1f5cca10c
SHA512

7485d2adad87bbc74281dc555e9e97284a4ef2513093b6e1448c06ddb1fa32bbbf13515a88af2ea14b6136c4f6726ffe4f7929619ab9f57c3d840b36d9cd1faf
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4544	4656	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 41 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4656 WINWORD.EXE
4656 WINWORD.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

4656 WINWORD.EXE
4656 WINWORD.EXE
4656 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

4656 WINWORD.EXE
4656 WINWORD.EXE
4656 WINWORD.EXE
4656 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4656	WINWORD.EXE
4656	WINWORD.EXE

pid	process
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE

pid	process
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4656 wrote to memory of 4544	4656	WINWORD.EXE	regsvr32.exe
PID 4656 wrote to memory of 4544	4656	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DETAILS 14032023.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\151945.tmp"
2⤵
- Process spawned unexpected child process
PID:4544

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GjluYzl\cZMUbTxezqHdewmO.dll"
3⤵
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\151945.tmp
Filesize
334.9MB

MD5
fc5e2fde03f8ee8a683fda96ad9a0b9e

SHA1
733be11a461a0d3674887e067d759ab44288a294

SHA256
a63bd985eca877db4d5507600ba5ed2f7ce1c0f1952629309d44d36b2553f162

SHA512
b4e62bcdbba972d9c1de46a5b10bbef71562ac774400726272e07d6d97356e723c8839ad25d9902b3fa08b498c53dc996064167dedb90b49e2903284f6cf1034

Download Submit
C:\Users\Admin\AppData\Local\Temp\151945.tmp
Filesize
332.4MB

MD5
05dd2d64ffdb0676399cd22b92df90f1

SHA1
66e5a7dbea7f167c65e96f01f18b2c75258c6ac9

SHA256
34f1bb6dabbc55a5dcb5c40fdc3afd2cd72acce032ecceefe037bd32abada99f

SHA512
6c5363ea928cbd4038bf48924194e5881707c4e2fe770085b9160b3f9756a3013d6047263c43e79f989fd685c3572696df11691c586b2738ca9c91873fe30ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\151945.zip
Filesize
845KB

MD5
2ecd14dbe0acfb6d20dba5f465905864

SHA1
2455ed294b703ca5bd72d125c21dfc9ca7bc0043

SHA256
a9de2a7fb170756cdeff00a4ed19574ffaaf1d59383728002390c8784764912f

SHA512
d969534ae1d935438e62bc5640f039bd987774ea4b0f60da700353ec7a8531f288698b1fca17cec583c689f05791735282dc438a84536a9be5fdf0f9688a0b53

Download Submit
C:\Windows\System32\GjluYzl\cZMUbTxezqHdewmO.dll
Filesize
324.4MB

MD5
1cd6937ad3e3c9edea24f213eacf4bab

SHA1
b95889d00ab2e33f2f40c6dac7e8e869c6ea9935

SHA256
1320f55fc77f61b3af69d0fd5e1f991e2950f8c482a3a3b83474ad12330b3cf5

SHA512
c4692d49c63f6d08beda88c5e7e0fbf5428fd899866bc6e1166c16a6f7b0d001a623c1f3a453cdc2e65a996ab471bde0f8632a7994aa7c7927d2ebc9047a7c11

Download Submit
memory/4544-182-0x0000000002B60000-0x0000000002B8C000-memory.dmp

Filesize
176KB

Download
memory/4544-185-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/4656-137-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-139-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-138-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-142-0x00007FF8383D0000-0x00007FF8383E0000-memory.dmp

Filesize
64KB

Download
memory/4656-140-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-141-0x00007FF8383D0000-0x00007FF8383E0000-memory.dmp

Filesize
64KB

Download
memory/4656-136-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-210-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-209-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-211-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/4656-212-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads